Date: Sun, 17 Mar 91 12:24 EST
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: DPMA Talk - "A NEW STRATEGY FOR COMPUTER VIRUSES"
A NEW STRATEGY FOR COMPUTER VIRUSES
William H. Murray
Deloitte & Touche
Wilton, Connecticut
A New Strategy for Computer Viruses 1
PREFACE
This presentation was prepared for and delivered to the
"DPMA 4th Annual Virus and Security Conference" on March 14,
1991.
Preface 2
ABSTRACT
This presentation argues that it is time for a new strategy
for dealing with computer viruses. It reviews the present
strategy and suggests that it was adopted before we knew
whether or not viruses would be successful. It points out
that this strategy is essentially "clinical." That is, it
treats the symptoms of the virus without directly dealing
with its growth and spread.
It presents evidence that at least two computer viruses,
Jerusalem B and Stoned, are epidemic, that more copies are
being created than are being killed. It argues that simply
the growth of the viruses, without regard to their symptoms,
is a problem.
It argues that it is now time for an epidemiological
approach to viruses. A keystone of such an approach will be
the massive and pervasive use of vaccine programs. These
programs are characterized by being resident, automatic,
getting control early, and acting to resist the very
execution of the virus program.
The presentation notes that there is significant resistance
to such a strategy and, specifically, to the use of such
programs. It addresses many of the arguments used to
justify this resistance. It concludes that we will
ultimately be forced to such a strategy, but that, given the
growth of the viruses and the resistance to stragtegy, we
will not likely act on a timely basis.
Abstract 3
STRATEGY
It is time for a new strategy for dealing with computer
viruses. The present strategy recommended by computer
manufacturers, the National Institute of Standards and
Technology (NIST), this author, and others is to:
* Practice good computer hygiene
* Keep clean copies of programs and data
* Scan new programs, all programs periodically
* Watch for symptoms
* Purge when necessary
* Restore programs and data from clean copies as required
Because many of us believed that talking about viruses could
only make the problem worse, there was also a "silence"
component in the strategy.
This strategy was developed more than three years ago. At
that time, the potential for success of computer viruses was
still unknown. The concern was for the potential for damage
to individual users and systems and, to a lesser extent, to
the health of the institution.
Today there is no longer any doubt as to the success of
computer viruses. There are more than four hundred viruses
that have been identified and cataloged. Twenty-five of
these are classified as "common." That is, they are so
widespread as to be considered both successful and out of
control. Another sixty-six are classified as "rare." What
this really means is they are young, and their success is
not yet demonstrated. However, there are a sufficient
number of viruses in this class and copies of each of them
that the future success of some of them is certain.
One common virus, Jerusalem B, is estimated to have a
hundred thousand copies. Since it is known to date from
November 87, its rate of growth suggests that there may well
be sixteen million copies by November 91 [TIPP].
Most large institutions have now seen one or more viruses.
Many now report several infections a month. In some,
infection is now so routine that they no longer bother to
report. Given this success, it seems certain that all
organizations will suffer from infection. It is no longer a
question of whether or not, but only of when and how often.
While the concern remains damage to user systems and data,
this is no longer appropriate. The concern should be the
epidemic growth, damage to the community, and potential
damage to necessary trust.
Dealing with viruses is now a cost of doing business. You
Page 1
must pay. The only questions are whether you pay early or
late, with disruption or without.
Since viruses have demonstrated such rapid growth, they must
be removed. If they are not removed, ultimately they will
saturate the space. The requirement to remove them is
independent of the symptoms that they manifest. That is,
even if they did nothing other than make copies of
themselves, you would still have to remove them. Thus,
replication, all by itself, is a problem. [Some viruses are
self-limiting.]
In other words, while the symptoms of the virus may be
problematic, mere replication is THE problem. Therefore,
the strategy must be aimed at preventing replication and
spread, not simply at limiting and repairing damage. In the
face of the epidemic growth, the old strategy is the
equivalent of trying to deal with smallpox by washing your
hands and treating sores and fever.
The old strategy was intended to be conservative. Indeed,
when it was developed, it was conservative. In the light of
what we know today, it is merely timid. However, we have
restated it so many times that the timid are unable to
abandon it.
We were successful in eliminating smallpox from the face of
the earth only after we had a cheap, effective, and safe
vaccine. However, the existence and availability of the
vaccine proved not to have been sufficient; we also had to
have the will to apply it massively and pervasively.
We now have computer software that is the equivalent of a
number of broad spectrum vaccine. It is capable of
preventing a specific computer from being infected. More
important, it is capable of preventing the replication of
the virus. It is characterized by the fact that it is
resident and acts early. Some of it acts on the basis of
detection of the signature of known viruses; some by
recognizing trusted software. Its intended use is
distinguished from that of earlier scanning software by the
fact that it acts before, rather than after, the virus
executes and replicates. It is distinguished from some
resident programs by its intent to block execution, rather
than to block writing.
Some have suggested that there is nothing fundamentally
different about this software. They assert that IBM Scan
can do anything that this software can do. IBM insists that
their advice for good hygiene includes the advice that you
scan all new software BEFORE using. If you were to do that,
then the effect would be the same as vaccination software.
This argument fails to take into account how the viruses in
question really spread. It assumes that viruses spread when
people use new software that they know is new and that they
intend to use. In reality viruses are spreading from
machine to diskette and diskette to machine without any
conscious intent to share software. The software that is
Page 2
spreading the viruses are things like the loader in the
diskette boot sector, the operating system (e.g.
COMMAND.COM), TSRs (terminate-and-stay-RESIDENT programs),
and the MacIntosh FINDER. These are programs that are
beneath the level of notice or intent of most users and
beyond the level of knowledge of many.
In a typical scenario, a student enters a laboratory, picks
a machine at random, inserts a diskette and presses
Ctl-Alt-Del. With many of the successful viruses, if the
diskette is infected, the machine becomes infected. If the
machine was infected, the diskette becomes infected. When
the diskette is inserted in another machine, that machine
becomes infected. There was no intent to share software;
nothing to trigger the use of IBM-Scan in the way that IBM
recommends.
Use of IBM-Scan in the manner that IBM recommends, requires
both knowledge and intent on the part of the user. While it
is sufficient to protect any particular user or machine, it
has not been sufficient to resist the growth and spread of
viruses.
Many have resisted the use of such software on the basis
that it would not be one hundred percent effective. Those
vaccines that rely upon their ability to recognize the
virus, would not be effective against new viruses. While
this is true in principle, it does not matter much in
practice. They are effective against the widespread
viruses. They can be made effective against new viruses in
less time than those viruses can spread widely, though this
begs the question of timely distribution and maintenance.
Those that rely upon restricting execution to software
trusted by the user, are vulnerable to the user's being
duped. While it will always be possible for a user to be
baited into executing a virus, even in the presence of
software intended to resist it, the present success of the
viruses takes place in an environment in which there is no
resistance at all. It is reasonable to assume that the
software will be successful in resisting the execution of
the virus much of the time, perhaps often enough to retard
the epidemic growth.
There are those who resist the use of vaccines on the basis
that such use would simply encourage new and smarter
viruses. These viruses would take advantage of knowledge of
the vaccine to defeat it. This concern is based, in part,
upon acceptance of the fact that, at least in theory, there
is no perfect defense against a sufficiently smart virus.
Of course, this is true about any security measure and any
threat. Jake's Law asserts that "anything hit with a big
enough hammer will fall to pieces." However, a security
measure need not be one hundred percent effective for us to
use it. We use those that are efficient; those that
displace sufficient risk or damage to cover their cost. One
hundred percent effective security measures have infinite
cost. Therefore, we do not attempt to eliminate risk, but
rather to limit it. It is not necessary to be one hundred
Page 3
percent effective against all viruses all of the time in
order to resist, limit, or even reverse the growth.
Those who would tolerate today's viruses because resisting
them might make tomorrow's viruses worse, embrace the
strategy so thoroughly discredited at Munich. It is called
"let sleeping dogs lie." Unfortunately these dogs, like
those of war, are not sleeping, they are replicating.
Some have suggested that we should ignore the dogs and worry
about the dragon, the omniscient puissant virus. Of course,
no one has seen the dragon, but the dogs are here now and
their numbers are legion. "Oh, but" they say, "if you use
your arrows on the dogs, you may provoke the dragon into
existence. The dragon will be created to be specifically
resistant to your arrows. It will include knowledge about
your arrows and be so intelligent as to be able to overwhelm
your compromised defenses."
The intelligence of the virus is an issue only if it is
successful in getting itself executed. The idea behind
these vaccines is that they prevent the virus from getting
control in the first place.
Viruses are bad enough; we should not frighten ourselves
into inaction with our own fantasies. While there are
limits to the effectiveness of any defense against viruses,
there are also limits to their power. All of the hype to
the contrary notwithstanding, viruses cannot do magic. A
virus must succeed in getting itself executed in order to do
anything. In no circumstance can it make your PC levitate
off the desk and smash against the wall.
Part of the resistance appears to be rooted in a concern
that one vaccine would be so successful and pervasive as to
become a target for viruses. This would be unlikely in any
case. It is particularly unlikely in the face of the number
of candidates, the variety of strategies that they employ,
and the success that each has already achieved.
Some managers resist the use of this software because of
cost. Most of these managers are responsible for large
numbers of systems. When multiplied by these numbers of
systems, the cost of the software rapidly escalates into the
thousands of dollars.
If there were some question about whether or not their
systems would be infected, or if there were a limited cost
to it, this resistance might make sense. As it is, it is
almost a certainty that they will be infected. The only
questions are when and how often. The cost of dealing with
viruses is now a tax on the use of computers. Like other
taxes, it is inevitable. You will pay. You may pay early
with limited disruption, or late with unlimited disruption,
but you will pay.
The Jerusalem B virus may infect many of the systems on a
LAN in hours. The number of copies of Jerusalem B in a LAN
doubles in minutes to hours, depending upon user privileges.
Page 4
If not removed promptly, it may saturate the LAN in days.
It must be removed. At a minimum, removing it will require
the scanning and/or purging of all the hard disks. If the
systems on the LAN are not immunized before restarting the
file server, then the LAN will be reinfected within hours.
A few managers have purged a LAN twice. One or two have
even done it three times. We know of no one that has done
it four times. The cost of purging a hard drive once
approaches the cost of the software. The cost is not
avoidable.
We are in the incipient phase of an epidemic. The viruses
are multiplying at a significant rate. There are tens of
them and they do not compete until you begin to run out of
disk space. They are successful in spite of the best that
we can expect from our present strategy. It is the growth
of the virus, rather than its symptoms, that is the problem.
We are rapidly running out of time to cope.
We have a number of vaccines that are effective against all
of the viruses that are patently successful, and most of the
others. However, they must be applied to a system to
protect that system. They must be applied massively and
pervasively to be effective in halting or reversing the
growth. The earlier the better. It is urgent that we begin
now. It is time for a new strategy.
The new strategy will continue to include good hygiene and
backup copies of programs and other data. However, it must
include rapid, massive, and pervasive vaccination of all
business and academic systems, beginning with those that are
shared by multiple users. It must include isolation and
quarantine of unvaccinated systems.
No, I am not proposing law or regulation, or even political
pressure. I am proposing responsible behavior on the part
of influential people. If you have influence over a large
number of machines, you should vaccinate them. I am also
proposing peer pressure; we must influence each other and
support each other in responsible action.
It will require courage. It is difficult to go against the
conventional wisdom; it persists long after it ceases to be
wise.
I am certain that we will act; in the long run, I do not
believe that there is a choice. I am not hopeful that we
will act in time; the short run is all too short, and the
resistance to change all too high.
Page 5